From c6485458b37e3f0f5d1c69c0452e4551ac3b1824 Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Thu, 8 Jan 2015 22:40:39 +0000 Subject: Import OpenSSL 1.0.1k. --- ssl/d1_both.c | 162 +++++++++++++++++++++++++++++++++------------------------ ssl/d1_clnt.c | 25 ++++----- ssl/d1_enc.c | 3 +- ssl/d1_lib.c | 38 +++++++++++--- ssl/d1_pkt.c | 37 ++++++++----- ssl/d1_srvr.c | 53 ++++++++++++------- ssl/dtls1.h | 8 +++ ssl/kssl.c | 72 ++++++++++++------------- ssl/s23_srvr.c | 7 ++- ssl/s2_enc.c | 12 +++-- ssl/s2_pkt.c | 9 +++- ssl/s2_srvr.c | 22 +++++--- ssl/s3_both.c | 1 + ssl/s3_clnt.c | 131 +++++++++++++++++----------------------------- ssl/s3_enc.c | 3 +- ssl/s3_lib.c | 16 +++--- ssl/s3_meth.c | 5 +- ssl/s3_pkt.c | 5 +- ssl/s3_srvr.c | 143 +++++++++++++++++++++++++++++++++++--------------- ssl/srtp.h | 4 +- ssl/ssl.h | 28 +++++++--- ssl/ssl3.h | 13 +++-- ssl/ssl_cert.c | 29 ----------- ssl/ssl_ciph.c | 12 ++--- ssl/ssl_lib.c | 46 ++++++++-------- ssl/ssl_locl.h | 7 +-- ssl/ssl_sess.c | 16 +++++- ssl/ssltest.c | 77 ++++++++++++++++++++------- ssl/t1_enc.c | 70 ++++++++++++------------- ssl/t1_lib.c | 38 ++++++++++---- 30 files changed, 646 insertions(+), 446 deletions(-) (limited to 'ssl') diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 2e4250fcfecf..1b9d64bf6027 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -156,9 +156,8 @@ static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; /* XDTLS: figure out the right values */ -static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; +static const unsigned int g_probable_mtu[] = {1500, 512, 256}; -static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len); static unsigned char *dtls1_write_message_header(SSL *s, @@ -211,8 +210,7 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) return frag; } -static void -dtls1_hm_fragment_free(hm_fragment *frag) +void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag->msg_header.is_ccs) @@ -225,53 +223,50 @@ dtls1_hm_fragment_free(hm_fragment *frag) OPENSSL_free(frag); } -/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ -int dtls1_do_write(SSL *s, int type) - { - int ret; - int curr_mtu; - unsigned int len, frag_off, mac_size, blocksize; +static int dtls1_query_mtu(SSL *s) +{ + if(s->d1->link_mtu) + { + s->d1->mtu = s->d1->link_mtu-BIO_dgram_get_mtu_overhead(SSL_get_wbio(s)); + s->d1->link_mtu = 0; + } /* AHA! Figure out the MTU, and stick to the right size */ - if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) + if (s->d1->mtu < dtls1_min_mtu(s)) { - s->d1->mtu = - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); - - /* I've seen the kernel return bogus numbers when it doesn't know - * (initial write), so just make sure we have a reasonable number */ - if (s->d1->mtu < dtls1_min_mtu()) + if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { - s->d1->mtu = 0; - s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, - s->d1->mtu, NULL); + s->d1->mtu = + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); + + /* I've seen the kernel return bogus numbers when it doesn't know + * (initial write), so just make sure we have a reasonable number */ + if (s->d1->mtu < dtls1_min_mtu(s)) + { + /* Set to min mtu */ + s->d1->mtu = dtls1_min_mtu(s); + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, + s->d1->mtu, NULL); + } } + else + return 0; } -#if 0 - mtu = s->d1->mtu; - - fprintf(stderr, "using MTU = %d\n", mtu); - - mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH); - - curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s)); + return 1; +} - if ( curr_mtu > 0) - mtu = curr_mtu; - else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0) - return ret; +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ +int dtls1_do_write(SSL *s, int type) + { + int ret; + unsigned int curr_mtu; + int retry = 1; + unsigned int len, frag_off, mac_size, blocksize, used_len; - if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) - { - ret = BIO_flush(SSL_get_wbio(s)); - if ( ret <= 0) - return ret; - mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH); - } -#endif + if(!dtls1_query_mtu(s)) + return -1; - OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */ + OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu(s)); /* should have something reasonable now */ if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE) OPENSSL_assert(s->init_num == @@ -289,10 +284,15 @@ int dtls1_do_write(SSL *s, int type) blocksize = 0; frag_off = 0; - while( s->init_num) + /* s->init_num shouldn't ever be < 0...but just in case */ + while(s->init_num > 0) { - curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - - DTLS1_RT_HEADER_LENGTH - mac_size - blocksize; + used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH + + mac_size + blocksize; + if(s->d1->mtu > used_len) + curr_mtu = s->d1->mtu - used_len; + else + curr_mtu = 0; if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH) { @@ -300,15 +300,27 @@ int dtls1_do_write(SSL *s, int type) ret = BIO_flush(SSL_get_wbio(s)); if ( ret <= 0) return ret; - curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - - mac_size - blocksize; + used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; + if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) + { + curr_mtu = s->d1->mtu - used_len; + } + else + { + /* Shouldn't happen */ + return -1; + } } - if ( s->init_num > curr_mtu) + /* We just checked that s->init_num > 0 so this cast should be safe */ + if (((unsigned int)s->init_num) > curr_mtu) len = curr_mtu; else len = s->init_num; + /* Shouldn't ever happen */ + if(len > INT_MAX) + len = INT_MAX; /* XDTLS: this function is too long. split out the CCS part */ if ( type == SSL3_RT_HANDSHAKE) @@ -319,18 +331,29 @@ int dtls1_do_write(SSL *s, int type) s->init_off -= DTLS1_HM_HEADER_LENGTH; s->init_num += DTLS1_HM_HEADER_LENGTH; - if ( s->init_num > curr_mtu) + /* We just checked that s->init_num > 0 so this cast should be safe */ + if (((unsigned int)s->init_num) > curr_mtu) len = curr_mtu; else len = s->init_num; } + /* Shouldn't ever happen */ + if(len > INT_MAX) + len = INT_MAX; + + if ( len < DTLS1_HM_HEADER_LENGTH ) + { + /* + * len is so small that we really can't do anything sensible + * so fail + */ + return -1; + } dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]); - - OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); } ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off], @@ -343,12 +366,23 @@ int dtls1_do_write(SSL *s, int type) * is fine and wait for an alert to handle the * retransmit */ - if ( BIO_ctrl(SSL_get_wbio(s), + if ( retry && BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 ) - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), - BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); + { + if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) + { + if(!dtls1_query_mtu(s)) + return -1; + /* Have one more go */ + retry = 0; + } + else + return -1; + } else + { return(-1); + } } else { @@ -1412,28 +1446,20 @@ dtls1_write_message_header(SSL *s, unsigned char *p) return p; } -unsigned int -dtls1_min_mtu(void) +unsigned int +dtls1_link_min_mtu(void) { return (g_probable_mtu[(sizeof(g_probable_mtu) / sizeof(g_probable_mtu[0])) - 1]); } -static unsigned int -dtls1_guess_mtu(unsigned int curr_mtu) +unsigned int +dtls1_min_mtu(SSL *s) { - unsigned int i; - - if ( curr_mtu == 0 ) - return g_probable_mtu[0] ; - - for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++) - if ( curr_mtu > g_probable_mtu[i]) - return g_probable_mtu[i]; - - return curr_mtu; + return dtls1_link_min_mtu()-BIO_dgram_get_mtu_overhead(SSL_get_wbio(s)); } + void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) { diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index fd6562c114dc..9045fb9902f5 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -249,6 +249,9 @@ int dtls1_connect(SSL *s) memset(s->s3->client_random,0,sizeof(s->s3->client_random)); s->d1->send_cookie = 0; s->hit = 0; + s->d1->change_cipher_spec_ok = 0; + /* Should have been reset by ssl3_get_finished, too. */ + s->s3->change_cipher_spec = 0; break; #ifndef OPENSSL_NO_SCTP @@ -370,20 +373,6 @@ int dtls1_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT - ret=ssl3_check_finished(s); - if (ret <= 0) goto end; - if (ret == 2) - { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state=SSL3_ST_CR_SESSION_TICKET_A; - else - s->state=SSL3_ST_CR_FINISHED_A; - s->init_num=0; - break; - } -#endif /* Check if it is anon DH or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) @@ -506,7 +495,6 @@ int dtls1_connect(SSL *s) else #endif s->state=SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec=0; } s->init_num=0; @@ -527,7 +515,6 @@ int dtls1_connect(SSL *s) #endif s->state=SSL3_ST_CW_CHANGE_A; s->init_num=0; - s->s3->change_cipher_spec=0; break; case SSL3_ST_CW_CHANGE_A: @@ -1730,6 +1717,12 @@ int dtls1_send_client_certificate(SSL *s) s->state=SSL3_ST_CW_CERT_D; l=dtls1_output_cert_chain(s, (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + if (!l) + { + SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); + return 0; + } s->init_num=(int)l; s->init_off=0; diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c index 712c4647f24c..3da2b4c8c2a7 100644 --- a/ssl/d1_enc.c +++ b/ssl/d1_enc.c @@ -241,7 +241,8 @@ int dtls1_enc(SSL *s, int send) return 0; } - EVP_Cipher(ds,rec->data,rec->input,l); + if(EVP_Cipher(ds,rec->data,rec->input,l) < 1) + return -1; #ifdef KSSL_DEBUG { diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 82ca65392063..14337b31a4e9 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -113,6 +113,9 @@ int dtls1_new(SSL *s) d1->cookie_len = sizeof(s->d1->cookie); } + d1->link_mtu = 0; + d1->mtu = 0; + if( ! d1->unprocessed_rcds.q || ! d1->processed_rcds.q || ! d1->buffered_messages || ! d1->sent_messages || ! d1->buffered_app_data.q) { @@ -161,16 +164,14 @@ static void dtls1_clear_queues(SSL *s) while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL) { frag = (hm_fragment *)item->data; - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); + dtls1_hm_fragment_free(frag); pitem_free(item); } while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL) { frag = (hm_fragment *)item->data; - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); + dtls1_hm_fragment_free(frag); pitem_free(item); } @@ -210,6 +211,7 @@ void dtls1_clear(SSL *s) pqueue sent_messages; pqueue buffered_app_data; unsigned int mtu; + unsigned int link_mtu; if (s->d1) { @@ -219,6 +221,7 @@ void dtls1_clear(SSL *s) sent_messages = s->d1->sent_messages; buffered_app_data = s->d1->buffered_app_data.q; mtu = s->d1->mtu; + link_mtu = s->d1->link_mtu; dtls1_clear_queues(s); @@ -232,6 +235,7 @@ void dtls1_clear(SSL *s) if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) { s->d1->mtu = mtu; + s->d1->link_mtu = link_mtu; } s->d1->unprocessed_rcds.q = unprocessed_rcds; @@ -276,7 +280,22 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) /* Just one protocol version is supported so far; * fail closed if the version is not as expected. */ return s->version == DTLS_MAX_VERSION; - + case DTLS_CTRL_SET_LINK_MTU: + if (larg < (long)dtls1_link_min_mtu()) + return 0; + s->d1->link_mtu = larg; + return 1; + case DTLS_CTRL_GET_LINK_MIN_MTU: + return (long)dtls1_link_min_mtu(); + case SSL_CTRL_SET_MTU: + /* + * We may not have a BIO set yet so can't call dtls1_min_mtu() + * We'll have to make do with dtls1_link_min_mtu() and max overhead + */ + if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD) + return 0; + s->d1->mtu = larg; + return larg; default: ret = ssl3_ctrl(s, cmd, larg, parg); break; @@ -415,12 +434,17 @@ void dtls1_stop_timer(SSL *s) int dtls1_check_timeout_num(SSL *s) { + unsigned int mtu; + s->d1->timeout.num_alerts++; /* Reduce MTU after 2 unsuccessful retransmissions */ - if (s->d1->timeout.num_alerts > 2) + if (s->d1->timeout.num_alerts > 2 + && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); + mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); + if(mtu < s->d1->mtu) + s->d1->mtu = mtu; } if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 438c0913d24e..0059fe2f152d 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) /* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; - + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL) @@ -247,18 +247,22 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) if (!ssl3_setup_buffers(s)) { SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + if (rdata->rbuf.buf != NULL) + OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return(0); + return(-1); } /* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + if (rdata->rbuf.buf != NULL) + OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return(0); + return(-1); } return(1); @@ -314,8 +318,9 @@ dtls1_process_buffered_records(SSL *s) dtls1_get_unprocessed_record(s); if ( ! dtls1_process_record(s)) return(0); - dtls1_buffer_record(s, &(s->d1->processed_rcds), - s->s3->rrec.seq_num); + if(dtls1_buffer_record(s, &(s->d1->processed_rcds), + s->s3->rrec.seq_num)<0) + return -1; } } @@ -530,7 +535,6 @@ printf("\n"); /* we have pulled in a full packet so zero things */ s->packet_length=0; - dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ return(1); f_err: @@ -563,7 +567,8 @@ int dtls1_get_record(SSL *s) /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ - dtls1_process_buffered_records(s); + if(dtls1_process_buffered_records(s)<0) + return -1; /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -642,8 +647,6 @@ again: /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ i=rr->length; n=ssl3_read_n(s,i,i,1); - if (n <= 0) return(n); /* error or non-blocking io */ - /* this packet contained a partial record, dump it */ if ( n != i) { @@ -678,7 +681,8 @@ again: * would be dropped unnecessarily. */ if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && - *p == SSL3_MT_CLIENT_HELLO) && + s->packet_length > DTLS1_RT_HEADER_LENGTH && + s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && !dtls1_record_replay_check(s, bitmap)) { rr->length = 0; @@ -701,7 +705,9 @@ again: { if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { - dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0) + return -1; + dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ } rr->length = 0; s->packet_length = 0; @@ -714,6 +720,7 @@ again: s->packet_length = 0; /* dump this record */ goto again; /* get another record */ } + dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ return(1); @@ -865,7 +872,11 @@ start: * buffer the application data for later processing rather * than dropping the connection. */ - dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); + if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0) + { + SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); + return -1; + } rr->length = 0; goto start; } @@ -1619,7 +1630,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, wr->length += bs; } - s->method->ssl3_enc->enc(s,1); + if(s->method->ssl3_enc->enc(s,1) < 1) goto err; /* record length after mac and block padding */ /* if (type == SSL3_RT_APPLICATION_DATA || diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 4b8ba3e452f3..da4c21e06a1c 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -233,6 +233,7 @@ int dtls1_accept(SSL *s) } if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) { + BUF_MEM_free(buf); ret= -1; goto end; } @@ -246,6 +247,9 @@ int dtls1_accept(SSL *s) } s->init_num=0; + s->d1->change_cipher_spec_ok = 0; + /* Should have been reset by ssl3_get_finished, too. */ + s->s3->change_cipher_spec = 0; if (s->state != SSL_ST_RENEGOTIATE) { @@ -450,24 +454,15 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_B: alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - /* clear this, it may get reset by - * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(alg_k & SSL_kKRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + /* + * clear this, it may get reset by + * send_server_key_exchange + */ + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange or * RSA but we have a sign only certificate */ - if (s->s3->tmp.use_rsa_tmp + if (0 /* PSK: send ServerKeyExchange if PSK identity * hint if provided */ #ifndef OPENSSL_NO_PSK @@ -658,8 +653,14 @@ int dtls1_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - - s->d1->change_cipher_spec_ok = 1; + /* + * This *should* be the first time we enable CCS, but be + * extra careful about surrounding code changes. We need + * to set this here because we don't know if we're + * expecting a CertificateVerify or not. + */ + if (!s->s3->change_cipher_spec) + s->d1->change_cipher_spec_ok = 1; /* we should decide if we expected this one */ ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -675,7 +676,18 @@ int dtls1_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: - s->d1->change_cipher_spec_ok = 1; + /* + * Enable CCS for resumed handshakes. + * In a full handshake, we end up here through + * SSL3_ST_SR_CERT_VRFY_B, so change_cipher_spec_ok was + * already set. Receiving a CCS clears the flag, so make + * sure not to re-enable it to ban duplicates. + * s->s3->change_cipher_spec is set when a CCS is + * processed in d1_pkt.c, and remains set until + * the client's Finished message is read. + */ + if (!s->s3->change_cipher_spec) + s->d1->change_cipher_spec_ok = 1; ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; @@ -1604,6 +1616,11 @@ int dtls1_send_server_certificate(SSL *s) } l=dtls1_output_cert_chain(s,x); + if (!l) + { + SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); + return(0); + } s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/dtls1.h b/ssl/dtls1.h index 192c5deff98a..338575268f9e 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -117,6 +117,9 @@ extern "C" { #define DTLS1_SCTP_AUTH_LABEL "EXPORTER_DTLS_OVER_SCTP" #endif +/* Max MTU overhead we know about so far is 40 for IPv6 + 8 for UDP */ +#define DTLS1_MAX_MTU_OVERHEAD 48 + typedef struct dtls1_bitmap_st { unsigned long map; /* track 32 packets on 32-bit systems @@ -231,6 +234,7 @@ typedef struct dtls1_state_st /* Is set when listening for new connections with dtls1_listen() */ unsigned int listen; + unsigned int link_mtu; /* max on-the-wire DTLS packet size */ unsigned int mtu; /* max DTLS packet size */ struct hm_header_st w_msg_hdr; @@ -252,6 +256,10 @@ typedef struct dtls1_state_st unsigned int handshake_fragment_len; unsigned int retransmitting; + /* + * Set when the handshake is ready to process peer's ChangeCipherSpec message. + * Cleared after the message has been processed. + */ unsigned int change_cipher_spec_ok; #ifndef OPENSSL_NO_SCTP diff --git a/ssl/kssl.c b/ssl/kssl.c index fd7c67bb1fcb..950a0c56f1a9 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -954,15 +954,15 @@ print_krb5_data(char *label, krb5_data *kdata) { int i; - printf("%s[%d] ", label, kdata->length); + fprintf(stderr,"%s[%d] ", label, kdata->length); for (i=0; i < (int)kdata->length; i++) { if (0 && isprint((int) kdata->data[i])) - printf( "%c ", kdata->data[i]); + fprintf(stderr, "%c ", kdata->data[i]); else - printf( "%02x ", (unsigned char) kdata->data[i]); + fprintf(stderr, "%02x ", (unsigned char) kdata->data[i]); } - printf("\n"); + fprintf(stderr,"\n"); } @@ -973,20 +973,20 @@ print_krb5_authdata(char *label, krb5_authdata **adata) { if (adata == NULL) { - printf("%s, authdata==0\n", label); + fprintf(stderr,"%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, (void *)adata); + fprintf(stderr,"%s [%p]\n", label, (void *)adata); #if 0 { int i; - printf("%s[at%d:%d] ", label, adata->ad_type, adata->length); + fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length); for (i=0; i < adata->length; i++) { - printf((isprint(adata->contents[i]))? "%c ": "%02x", + fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x", adata->contents[i]); } - printf("\n"); + fprintf(stderr,"\n"); } #endif } @@ -1001,24 +1001,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk) if (keyblk == NULL) { - printf("%s, keyblk==0\n", label); + fprintf(stderr,"%s, keyblk==0\n", label); return; } #ifdef KRB5_HEIMDAL - printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, + fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length); for (i=0; i < (int)keyblk->keyvalue->length; i++) { - printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); + fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); } - printf("\n"); + fprintf(stderr,"\n"); #else - printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); + fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); for (i=0; i < (int)keyblk->length; i++) { - printf("%02x",keyblk->contents[i]); + fprintf(stderr,"%02x",keyblk->contents[i]); } - printf("\n"); + fprintf(stderr,"\n"); #endif } @@ -1031,17 +1031,17 @@ print_krb5_princ(char *label, krb5_principal_data *princ) { int i, ui, uj; - printf("%s principal Realm: ", label); + fprintf(stderr,"%s principal Realm: ", label); if (princ == NULL) return; for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]); - printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); + fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length); for (i=0; i < (int)princ->length; i++) { - printf("\t%d [%d]: ", i, princ->data[i].length); + fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length); for (uj=0; uj < (int)princ->data[i].length; uj++) { putchar(princ->data[i].data[uj]); } - printf("\n"); + fprintf(stderr,"\n"); } return; } @@ -1332,7 +1332,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, } #ifdef KSSL_DEBUG - printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); + fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); #endif /* KSSL_DEBUG */ if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) @@ -1481,18 +1481,18 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, #ifdef KSSL_DEBUG { int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; - printf("Decrypted ticket fields:\n"); - printf("\tflags: %X, transit-type: %X", + fprintf(stderr,"Decrypted ticket fields:\n"); + fprintf(stderr,"\tflags: %X, transit-type: %X", krb5ticket->enc_part2->flags, krb5ticket->enc_part2->transited.tr_type); print_krb5_data("\ttransit-data: ", &(krb5ticket->enc_part2->transited.tr_contents)); - printf("\tcaddrs: %p, authdata: %p\n", + fprintf(stderr,"\tcaddrs: %p, authdata: %p\n", krb5ticket->enc_part2->caddrs, krb5ticket->enc_part2->authorization_data); if (paddr) { - printf("\tcaddrs:\n"); + fprintf(stderr,"\tcaddrs:\n"); for (i=0; paddr[i] != NULL; i++) { krb5_data d; @@ -1501,7 +1501,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, print_krb5_data("\t\tIP: ", &d); } } - printf("\tstart/auth/end times: %d / %d / %d\n", + fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n", krb5ticket->enc_part2->times.starttime, krb5ticket->enc_part2->times.authtime, krb5ticket->enc_part2->times.endtime); @@ -1976,7 +1976,7 @@ krb5_error_code kssl_validate_times( krb5_timestamp atime, if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED; #ifdef KSSL_DEBUG - printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", + fprintf(stderr,"kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", start, atime, now, skew, ttimes->endtime); #endif /* KSSL_DEBUG */ @@ -2027,10 +2027,10 @@ krb5_error_code kssl_check_authent( #ifdef KSSL_DEBUG { unsigned int ui; - printf("kssl_check_authent: authenticator[%d]:\n",authentp->length); + fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length); p = authentp->data; - for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]); - printf("\n"); + for (ui=0; ui < authentp->length; ui++) fprintf(stderr,"%02x ",p[ui]); + fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -2095,9 +2095,9 @@ krb5_error_code kssl_check_authent( #ifdef KSSL_DEBUG { int padl; - printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); - for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]); - printf("\n"); + fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl); + for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]); + fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -2132,10 +2132,10 @@ krb5_error_code kssl_check_authent( } #ifdef KSSL_DEBUG - printf("kssl_check_authent: returns %d for client time ", *atimep); + fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep); if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) - printf("%.*s\n", auth->ctime->length, auth->ctime->data); - else printf("NULL\n"); + fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data); + else fprintf(stderr,"NULL\n"); #endif /* KSSL_DEBUG */ err: diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 93ca7d53cda4..3178815ec99b 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -192,6 +192,7 @@ int ssl23_accept(SSL *s) } if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) { + BUF_MEM_free(buf); ret= -1; goto end; } @@ -602,12 +603,14 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ - s->method = ssl23_get_server_method(s->version); - if (s->method == NULL) + const SSL_METHOD *new_method; + new_method = ssl23_get_server_method(s->version); + if (new_method == NULL) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; } + s->method = new_method; if (!ssl_init_wbio_buffer(s,1)) goto err; diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c index ff3395f459e7..a35968f63a7f 100644 --- a/ssl/s2_enc.c +++ b/ssl/s2_enc.c @@ -117,8 +117,9 @@ err: /* read/writes from s->s2->mac_data using length for encrypt and * decrypt. It sets s->s2->padding and s->[rw]length - * if we are encrypting */ -void ssl2_enc(SSL *s, int send) + * if we are encrypting + * Returns 0 on error and 1 on success */ +int ssl2_enc(SSL *s, int send) { EVP_CIPHER_CTX *ds; unsigned long l; @@ -136,7 +137,7 @@ void ssl2_enc(SSL *s, int send) } /* check for NULL cipher */ - if (ds == NULL) return; + if (ds == NULL) return 1; bs=ds->cipher->block_size; @@ -145,7 +146,10 @@ void ssl2_enc(SSL *s, int send) if (bs == 8) l=(l+7)/8*8; - EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l); + if(EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l) < 1) + return 0; + + return 1; } void ssl2_mac(SSL *s, unsigned char *md, int send) diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index 8bb6ab8baa33..acd61dc546af 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -265,7 +265,11 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) if ((!s->s2->clear_text) && (s->s2->rlength >= (unsigned int)mac_size)) { - ssl2_enc(s,0); + if(!ssl2_enc(s,0)) + { + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_DECRYPTION_FAILED); + return(-1); + } s->s2->ract_data_length-=mac_size; ssl2_mac(s,mac,0); s->s2->ract_data_length-=s->s2->padding; @@ -616,7 +620,8 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->wact_data_length=len+p; ssl2_mac(s,s->s2->mac_data,1); s->s2->wlength+=p+mac_size; - ssl2_enc(s,1); + if(ssl2_enc(s,1) < 1) + return -1; } /* package up the header */ diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 2cba426bb7ef..59ced3f3052f 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -188,13 +188,21 @@ int ssl2_accept(SSL *s) s->version=SSL2_VERSION; s->type=SSL_ST_ACCEPT; - buf=s->init_buf; - if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL)) - { ret= -1; goto end; } - if (!BUF_MEM_grow(buf,(int) - SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) - { ret= -1; goto end; } - s->init_buf=buf; + if(s->init_buf == NULL) + { + if ((buf=BUF_MEM_new()) == NULL) + { + ret= -1; + goto end; + } + if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) + { + BUF_MEM_free(buf); + ret= -1; + goto end; + } + s->init_buf=buf; + } s->init_num=0; s->ctx->stats.sess_accept++; s->handshake_func=ssl2_accept; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 53b9390fdd3a..3581fbf4ff42 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -439,6 +439,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) goto f_err; } *ok=1; + s->state = stn; s->init_msg = s->init_buf->data + 4; s->init_num = (int)s->s3->tmp.message_size; return s->init_num; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 263e6348c978..7692716988ac 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -167,9 +167,9 @@ #include #endif -static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) { if (ver == SSL3_VERSION) @@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method, ssl_undefined_function, ssl3_connect, ssl3_get_client_method) +#endif int ssl3_connect(SSL *s) { @@ -272,6 +273,9 @@ int ssl3_connect(SSL *s) s->state=SSL3_ST_CW_CLNT_HELLO_A; s->ctx->stats.sess_connect++; s->init_num=0; + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + /* Should have been reset by ssl3_get_finished, too. */ + s->s3->change_cipher_spec = 0; break; case SSL3_ST_CW_CLNT_HELLO_A: @@ -312,20 +316,6 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT - ret=ssl3_check_finished(s); - if (ret <= 0) goto end; - if (ret == 2) - { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state=SSL3_ST_CR_SESSION_TICKET_A; - else - s->state=SSL3_ST_CR_FINISHED_A; - s->init_num=0; - break; - } -#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && @@ -433,12 +423,10 @@ int ssl3_connect(SSL *s) else { s->state=SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec=0; } if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { s->state=SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec=0; } s->init_num=0; @@ -450,7 +438,6 @@ int ssl3_connect(SSL *s) if (ret <= 0) goto end; s->state=SSL3_ST_CW_CHANGE_A; s->init_num=0; - s->s3->change_cipher_spec=0; break; case SSL3_ST_CW_CHANGE_A: @@ -510,7 +497,6 @@ int ssl3_connect(SSL *s) s->method->ssl3_enc->client_finished_label, s->method->ssl3_enc->client_finished_label_len); if (ret <= 0) goto end; - s->s3->flags |= SSL3_FLAGS_CCS_OK; s->state=SSL3_ST_CW_FLUSH; /* clear flags */ @@ -559,7 +545,6 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); @@ -669,11 +654,7 @@ int ssl3_client_hello(SSL *s) SSL_SESSION *sess = s->session; if ((sess == NULL) || (sess->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT !sess->session_id_length || -#else - (!sess->session_id_length && !sess->tlsext_tick) || -#endif (sess->not_resumable)) { if (!ssl_get_new_session(s,0)) @@ -879,6 +860,8 @@ int ssl3_get_server_hello(SSL *s) memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; + s->hit = 0; + /* get the session-id */ j= *(p++); @@ -902,12 +885,12 @@ int ssl3_get_server_hello(SSL *s) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); - s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->hit = 1; } } #endif /* OPENSSL_NO_TLSEXT */ - if (j != 0 && j == s->session->session_id_length + if (!s->hit && j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length @@ -918,14 +901,13 @@ int ssl3_get_server_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } - s->s3->flags |= SSL3_FLAGS_CCS_OK; s->hit=1; } - else /* a miss or crap from the other end */ + /* a miss or crap from the other end */ + if (!s->hit) { /* If we were trying for session-id reuse, make a new * SSL_SESSION so we don't stuff up other people */ - s->hit=0; if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s,0)) @@ -1203,9 +1185,9 @@ int ssl3_get_server_certificate(SSL *s) ? 0 : 1; #ifdef KSSL_DEBUG - printf("pkey,x = %p, %p\n", pkey,x); - printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); - printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, + fprintf(stderr,"pkey,x = %p, %p\n", pkey,x); + fprintf(stderr,"ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); + fprintf(stderr,"cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); #endif /* KSSL_DEBUG */ @@ -1295,6 +1277,8 @@ int ssl3_get_key_exchange(SSL *s) int encoded_pt_len = 0; #endif + EVP_MD_CTX_init(&md_ctx); + /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, @@ -1305,14 +1289,26 @@ int ssl3_get_key_exchange(SSL *s) &ok); if (!ok) return((int)n); + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg_k & (SSL_kEDH|SSL_kEECDH)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) + if (alg_k & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint) @@ -1357,9 +1353,7 @@ int ssl3_get_key_exchange(SSL *s) /* Total length of the parameters including the length prefix */ param_len=0; - alg_k=s->s3->tmp.new_cipher->algorithm_mkey; alg_a=s->s3->tmp.new_cipher->algorithm_auth; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR; @@ -1543,6 +1537,13 @@ int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_RSA if (alg_k & SSL_kRSA) { + /* Temporary RSA keys only allowed in export ciphersuites */ + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); @@ -2174,24 +2175,13 @@ int ssl3_get_new_session_ticket(SSL *s) n=s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B, - -1, + SSL3_MT_NEWSESSION_TICKET, 16384, &ok); if (!ok) return((int)n); - if (s->s3->tmp.message_type == SSL3_MT_FINISHED) - { - s->s3->tmp.reuse_message=1; - return(1); - } - if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) - { - al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } if (n < 6) { /* need at least ticket_lifetime_hint + ticket length */ @@ -2223,7 +2213,7 @@ int ssl3_get_new_session_ticket(SSL *s) } memcpy(s->session->tlsext_tick, p, ticklen); s->session->tlsext_ticklen = ticklen; - /* There are two ways to detect a resumed ticket sesion. + /* There are two ways to detect a resumed ticket session. * One is to set an appropriate session ID and then the server * must return a match in ServerHello. This allows the normal * client session ID matching to work and we know much @@ -2462,7 +2452,7 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_CIPHER_CTX_init(&ciph_ctx); #ifdef KSSL_DEBUG - printf("ssl3_send_client_key_exchange(%lx & %lx)\n", + fprintf(stderr,"ssl3_send_client_key_exchange(%lx & %lx)\n", alg_k, SSL_kKRB5); #endif /* KSSL_DEBUG */ @@ -2478,9 +2468,9 @@ int ssl3_send_client_key_exchange(SSL *s) goto err; #ifdef KSSL_DEBUG { - printf("kssl_cget_tkt rtn %d\n", krb5rc); + fprintf(stderr,"kssl_cget_tkt rtn %d\n", krb5rc); if (krb5rc && kssl_err.text) - printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); + fprintf(stderr,"kssl_cget_tkt kssl_err=%s\n", kssl_err.text); } #endif /* KSSL_DEBUG */ @@ -3309,6 +3299,12 @@ int ssl3_send_client_certificate(SSL *s) s->state=SSL3_ST_CW_CERT_D; l=ssl3_output_cert_chain(s, (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); + if (!l) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); + return 0; + } s->init_num=(int)l; s->init_off=0; } @@ -3478,40 +3474,9 @@ int ssl3_send_next_proto(SSL *s) } return ssl3_do_write(s, SSL3_RT_HANDSHAKE); -} + } #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ -/* Check to see if handshake is full or resumed. Usually this is just a - * case of checking to see if a cache hit has occurred. In the case of - * session tickets we have to check the next message to be sure. - */ - -#ifndef OPENSSL_NO_TLSEXT -int ssl3_check_finished(SSL *s) - { - int ok; - long n; - /* If we have no ticket it cannot be a resumed session. */ - if (!s->session->tlsext_tick) - return 1; - /* this function is called when we really expect a Certificate - * message, so permit appropriate message length */ - n=s->method->ssl_get_message(s, - SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, - -1, - s->max_cert_list, - &ok); - if (!ok) return((int)n); - s->s3->tmp.reuse_message = 1; - if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) - || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) - return 2; - - return 1; - } -#endif - int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { int i = 0; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 9db45af7ea7f..89c133e681ed 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -535,7 +535,8 @@ int ssl3_enc(SSL *s, int send) /* otherwise, rec->length >= bs */ } - EVP_Cipher(ds,rec->data,rec->input,l); + if(EVP_Cipher(ds,rec->data,rec->input,l) < 1) + return -1; if (EVP_MD_CTX_md(s->read_hash) != NULL) mac_size = EVP_MD_CTX_size(s->read_hash); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 3f1745336b22..e7cbef4814a5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3810,17 +3810,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef CIPHER_DEBUG - printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); + fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) { c=sk_SSL_CIPHER_value(srvr,i); - printf("%p:%s\n",(void *)c,c->name); + fprintf(stderr, "%p:%s\n",(void *)c,c->name); } - printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); + fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { c=sk_SSL_CIPHER_value(clnt,i); - printf("%p:%s\n",(void *)c,c->name); + fprintf(stderr, "%p:%s\n",(void *)c,c->name); } #endif @@ -3860,7 +3860,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef KSSL_DEBUG -/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ +/* fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ #endif /* KSSL_DEBUG */ alg_k=c->algorithm_mkey; @@ -3883,7 +3883,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { ok = (alg_k & emask_k) && (alg_a & emask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, (void *)c,c->name); #endif } @@ -3891,7 +3891,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, c->name); #endif } @@ -4000,6 +4000,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } ok = ok && ec_ok; } +#ifndef OPENSSL_NO_ECDH if ( /* if we are considering an ECC cipher suite that uses an ephemeral EC key */ (alg_k & SSL_kEECDH) @@ -4047,6 +4048,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } ok = ok && ec_ok; } +#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_TLSEXT */ diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c index cdddb17b627d..4dec7033d6c9 100644 --- a/ssl/s3_meth.c +++ b/ssl/s3_meth.c @@ -60,7 +60,7 @@ #include #include "ssl_locl.h" -static const SSL_METHOD *ssl3_get_method(int ver); +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_method(int ver) { if (ver == SSL3_VERSION) @@ -73,5 +73,4 @@ IMPLEMENT_ssl3_meth_func(SSLv3_method, ssl3_accept, ssl3_connect, ssl3_get_method) - - +#endif diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 4c9285f355b2..1ec9e6ea46da 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -183,6 +183,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) * at once (as long as it fits into the buffer). */ if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) { + if (left == 0 && extend) + return 0; if (left > 0 && n > left) n = left; } @@ -856,8 +858,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, wr->length += eivlen; } - /* ssl3_enc can only have an error on read */ - s->method->ssl3_enc->enc(s,1); + if(s->method->ssl3_enc->enc(s,1)<1) goto err; /* record length after mac and block padding */ s2n(wr->length,plen); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c23d98708029..fadca74ec269 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -170,6 +170,7 @@ #endif #include +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_server_method(int ver); static const SSL_METHOD *ssl3_get_server_method(int ver) @@ -180,6 +181,12 @@ static const SSL_METHOD *ssl3_get_server_method(int ver) return(NULL); } +IMPLEMENT_ssl3_meth_func(SSLv3_server_method, + ssl3_accept, + ssl_undefined_function, + ssl3_get_server_method) +#endif + #ifndef OPENSSL_NO_SRP static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) { @@ -206,11 +213,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) } #endif -IMPLEMENT_ssl3_meth_func(SSLv3_server_method, - ssl3_accept, - ssl_undefined_function, - ssl3_get_server_method) - int ssl3_accept(SSL *s) { BUF_MEM *buf; @@ -284,6 +286,7 @@ int ssl3_accept(SSL *s) } if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) { + BUF_MEM_free(buf); ret= -1; goto end; } @@ -298,6 +301,9 @@ int ssl3_accept(SSL *s) s->init_num=0; s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + /* Should have been reset by ssl3_get_finished, too. */ + s->s3->change_cipher_spec = 0; if (s->state != SSL_ST_RENEGOTIATE) { @@ -441,20 +447,11 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_B: alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - /* clear this, it may get reset by - * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(alg_k & SSL_kKRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + /* + * clear this, it may get reset by + * send_server_key_exchange + */ + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or @@ -468,7 +465,7 @@ int ssl3_accept(SSL *s) * server certificate contains the server's * public key for key exchange. */ - if (s->s3->tmp.use_rsa_tmp + if (0 /* PSK: send ServerKeyExchange if PSK identity * hint if provided */ #ifndef OPENSSL_NO_PSK @@ -674,8 +671,14 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - - s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This *should* be the first time we enable CCS, but be + * extra careful about surrounding code changes. We need + * to set this here because we don't know if we're + * expecting a CertificateVerify or not. + */ + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; /* we should decide if we expected this one */ ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -694,6 +697,19 @@ int ssl3_accept(SSL *s) #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_SR_NEXT_PROTO_A: case SSL3_ST_SR_NEXT_PROTO_B: + /* + * Enable CCS for resumed handshakes with NPN. + * In a full handshake with NPN, we end up here through + * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was + * already set. Receiving a CCS clears the flag, so make + * sure not to re-enable it to ban duplicates. + * s->s3->change_cipher_spec is set when a CCS is + * processed in s3_pkt.c, and remains set until + * the client's Finished message is read. + */ + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_next_proto(s); if (ret <= 0) goto end; s->init_num = 0; @@ -703,7 +719,18 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * Enable CCS for resumed handshakes without NPN. + * In a full handshake, we end up here through + * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was + * already set. Receiving a CCS clears the flag, so make + * sure not to re-enable it to ban duplicates. + * s->s3->change_cipher_spec is set when a CCS is + * processed in s3_pkt.c, and remains set until + * the client's Finished message is read. + */ + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; @@ -775,7 +802,6 @@ int ssl3_accept(SSL *s) #else if (s->s3->next_proto_neg_seen) { - s->s3->flags |= SSL3_FLAGS_CCS_OK; s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; } else @@ -1017,7 +1043,16 @@ int ssl3_get_client_hello(SSL *s) else { i=ssl_get_prev_session(s, p, j, d + n); - if (i == 1) + /* + * Only resume if the session's version matches the negotiated + * version. + * RFC 5246 does not provide much useful advice on resumption + * with a different protocol version. It doesn't forbid it but + * the sanity of such behaviour would be questionable. + * In practice, clients do not accept a version mismatch and + * will abort the handshake with an error. + */ + if (i == 1 && s->version == s->session->ssl_version) { /* previous session */ s->hit=1; } @@ -1112,14 +1147,15 @@ int ssl3_get_client_hello(SSL *s) id=s->session->cipher->id; #ifdef CIPHER_DEBUG - printf("client sent %d ciphers\n",sk_num(ciphers)); + fprintf(stderr,"client sent %d ciphers\n",sk_SSL_CIPHER_num(ciphers)); #endif for (i=0; iid == id) { @@ -2171,6 +2207,7 @@ int ssl3_get_client_key_exchange(SSL *s) unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; int decrypt_len; unsigned char decrypt_good, version_good; + size_t j; /* FIX THIS UP EAY EAY EAY EAY */ if (s->s3->tmp.use_rsa_tmp) @@ -2209,8 +2246,9 @@ int ssl3_get_client_key_exchange(SSL *s) { if (!(s->options & SSL_OP_TLS_D5_BUG)) { + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); - goto err; + goto f_err; } else p-=2; @@ -2219,6 +2257,20 @@ int ssl3_get_client_key_exchange(SSL *s) n=i; } + /* + * Reject overly short RSA ciphertext because we want to be sure + * that the buffer size makes it safe to iterate over the entire + * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The + * actual expected size is larger due to RSA padding, but the + * bound is sufficient to be safe. + */ + if (n < SSL_MAX_MASTER_KEY_LENGTH) + { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); + goto f_err; + } + /* We must not leak whether a decryption failure occurs because * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see * RFC 2246, section 7.4.7.1). The code follows that advice of @@ -2266,19 +2318,23 @@ int ssl3_get_client_key_exchange(SSL *s) * to remain non-zero (0xff). */ decrypt_good &= version_good; - /* Now copy rand_premaster_secret over p using - * decrypt_good_mask. */ - for (i = 0; i < (int) sizeof(rand_premaster_secret); i++) + /* + * Now copy rand_premaster_secret over from p using + * decrypt_good_mask. If decryption failed, then p does not + * contain valid plaintext, however, a check above guarantees + * it is still sufficiently large to read from. + */ + for (j = 0; j < sizeof(rand_premaster_secret); j++) { - p[i] = constant_time_select_8(decrypt_good, p[i], - rand_premaster_secret[i]); + p[j] = constant_time_select_8(decrypt_good, p[j], + rand_premaster_secret[j]); } s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, - p,i); - OPENSSL_cleanse(p,i); + p,sizeof(rand_premaster_secret)); + OPENSSL_cleanse(p,sizeof(rand_premaster_secret)); } else #endif @@ -2420,10 +2476,10 @@ int ssl3_get_client_key_exchange(SSL *s) &kssl_err)) != 0) { #ifdef KSSL_DEBUG - printf("kssl_sget_tkt rtn %d [%d]\n", + fprintf(stderr,"kssl_sget_tkt rtn %d [%d]\n", krb5rc, kssl_err.reason); if (kssl_err.text) - printf("kssl_err text= %s\n", kssl_err.text); + fprintf(stderr,"kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason); @@ -2437,10 +2493,10 @@ int ssl3_get_client_key_exchange(SSL *s) &authtime, &kssl_err)) != 0) { #ifdef KSSL_DEBUG - printf("kssl_check_authent rtn %d [%d]\n", + fprintf(stderr,"kssl_check_authent rtn %d [%d]\n", krb5rc, kssl_err.reason); if (kssl_err.text) - printf("kssl_err text= %s\n", kssl_err.text); + fprintf(stderr,"kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason); @@ -2958,7 +3014,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) + if (peer != NULL) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); @@ -3362,6 +3418,11 @@ int ssl3_send_server_certificate(SSL *s) } l=ssl3_output_cert_chain(s,x); + if (!l) + { + SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); + return(0); + } s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; diff --git a/ssl/srtp.h b/ssl/srtp.h index 24f23309d7c4..096b624d0d8c 100644 --- a/ssl/srtp.h +++ b/ssl/srtp.h @@ -1,4 +1,4 @@ -/* ssl/tls1.h */ +/* ssl/srtp.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,6 +118,8 @@ #ifndef HEADER_D1_SRTP_H #define HEADER_D1_SRTP_H +#include + #ifdef __cplusplus extern "C" { #endif diff --git a/ssl/ssl.h b/ssl/ssl.h index b78a1cce4409..2ba5923204d2 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -596,9 +596,8 @@ struct ssl_session_st #define SSL_OP_SINGLE_ECDH_USE 0x00080000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set to always use the tmp_rsa key when doing RSA operations, - * even when this violates protocol specs */ -#define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* Does nothing: retained for compatibiity */ +#define SSL_OP_EPHEMERAL_RSA 0x0 /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L @@ -654,8 +653,13 @@ struct ssl_session_st #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Send TLS_FALLBACK_SCSV in the ClientHello. - * To be set by applications that reconnect with a downgraded protocol - * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ + * To be set only by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. + * + * DO NOT ENABLE THIS if your application attempts a normal handshake. + * Only use this in explicit fallback retries, following the guidance + * in draft-ietf-tls-downgrade-scsv-00. + */ #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, @@ -688,6 +692,10 @@ struct ssl_session_st SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) #define SSL_set_mtu(ssl, mtu) \ SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) +#define DTLS_set_link_mtu(ssl, mtu) \ + SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL) +#define DTLS_get_link_min_mtu(ssl) \ + SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL) #define SSL_get_secure_renegotiation_support(ssl) \ SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) @@ -1627,6 +1635,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 #define SSL_CTRL_CHECK_PROTO_VERSION 119 +#define DTLS_CTRL_SET_LINK_MTU 120 +#define DTLS_CTRL_GET_LINK_MIN_MTU 121 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1878,13 +1888,15 @@ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ #endif +#ifndef OPENSSL_NO_SSL3_METHOD const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ +#endif -const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ +const SSL_METHOD *SSLv23_method(void); /* Negotiate highest available SSL/TLS version */ +const SSL_METHOD *SSLv23_server_method(void); /* Negotiate highest available SSL/TLS version */ +const SSL_METHOD *SSLv23_client_method(void); /* Negotiate highest available SSL/TLS version */ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 85f150409d21..6fad054e03c5 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -393,8 +393,12 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* + * Set when the handshake is ready to process peer's ChangeCipherSpec message. + * Cleared after the message has been processed. + */ #define SSL3_FLAGS_CCS_OK 0x0080 - + /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us * from restarting the handshake in a loop. It's reset on a @@ -456,8 +460,11 @@ typedef struct ssl3_state_st * and freed and MD_CTX-es for all required digests are stored in * this array */ EVP_MD_CTX **handshake_dgst; - /* this is set whenerver we see a change_cipher_spec message - * come in when we are not looking for one */ + /* + * Set whenever an expected ChangeCipherSpec message is processed. + * Unset when the peer's Finished message is received. + * Unexpected ChangeCipherSpec messages trigger a fatal alert. + */ int change_cipher_spec; int warn_alert; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 5123a89182e5..cef3ff46e4a3 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -286,35 +286,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); - - switch(i) - { - /* If there was anything special to do for - * certain types of keys, we'd do it here. - * (Nothing at the moment, I think.) */ - - case SSL_PKEY_RSA_ENC: - case SSL_PKEY_RSA_SIGN: - /* We have an RSA key. */ - break; - - case SSL_PKEY_DSA_SIGN: - /* We have a DSA key. */ - break; - - case SSL_PKEY_DH_RSA: - case SSL_PKEY_DH_DSA: - /* We have a DH key. */ - break; - - case SSL_PKEY_ECC: - /* We have an ECC key */ - break; - - default: - /* Can't happen. */ - SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); - } } } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 8188ff5d95c1..b767361e79b8 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -814,7 +814,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, co_list[co_list_num].active = 0; co_list_num++; #ifdef KSSL_DEBUG - printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); + fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); #endif /* KSSL_DEBUG */ /* if (!sk_push(ca_list,(char *)c)) goto err; @@ -931,7 +931,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, int reverse = 0; #ifdef CIPHER_DEBUG - printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", + fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); #endif @@ -977,7 +977,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, else { #ifdef CIPHER_DEBUG - printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); + fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) @@ -997,7 +997,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, } #ifdef CIPHER_DEBUG - printf("Action = %d\n", rule); + fprintf(stderr, "Action = %d\n", rule); #endif /* add the cipher if it has not been added yet. */ @@ -1386,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ num_of_ciphers = ssl_method->num_ciphers(); #ifdef KSSL_DEBUG - printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); + fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); if (co_list == NULL) @@ -1513,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG - printf("<%s>\n",curr->cipher->name); + fprintf(stderr, "<%s>\n",curr->cipher->name); #endif } } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 3f66fc061db5..4a62b4a790db 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -383,13 +383,7 @@ SSL *SSL_new(SSL_CTX *ctx) return(s); err: if (s != NULL) - { - if (s->cert != NULL) - ssl_cert_free(s->cert); - if (s->ctx != NULL) - SSL_CTX_free(s->ctx); /* decrement reference count */ - OPENSSL_free(s); - } + SSL_free(s); SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); return(NULL); } @@ -1080,19 +1074,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) l=s->max_cert_list; s->max_cert_list=larg; return(l); - case SSL_CTRL_SET_MTU: -#ifndef OPENSSL_NO_DTLS1 - if (larg < (long)dtls1_min_mtu()) - return 0; -#endif - - if (SSL_version(s) == DTLS1_VERSION || - SSL_version(s) == DTLS1_BAD_VER) - { - s->d1->mtu = larg; - return larg; - } - return 0; case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; @@ -1507,6 +1488,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); goto err; } + p += n; continue; } @@ -2112,7 +2094,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #ifdef CIPHER_DEBUG - printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", + fprintf(stderr,"rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp, rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); #endif @@ -2996,10 +2978,32 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) } ssl_cert_free(ocert); } + + /* + * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), + * so setter APIs must prevent invalid lengths from entering the system. + */ + OPENSSL_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)); + + /* + * If the session ID context matches that of the parent SSL_CTX, + * inherit it from the new SSL_CTX as well. If however the context does + * not match (i.e., it was set per-ssl with SSL_set_session_id_context), + * leave it unchanged. + */ + if ((ssl->ctx != NULL) && + (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) && + (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) + { + ssl->sid_ctx_length = ctx->sid_ctx_length; + memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); + } + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); if (ssl->ctx != NULL) SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + return(ssl->ctx); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 98888d2df373..1b8fa8c4cbf6 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -864,7 +864,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); int ssl2_enc_init(SSL *s, int client); int ssl2_generate_key_material(SSL *s); -void ssl2_enc(SSL *s,int send_data); +int ssl2_enc(SSL *s,int send_data); void ssl2_mac(SSL *s,unsigned char *mac,int send_data); const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p); int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); @@ -997,7 +997,9 @@ void dtls1_stop_timer(SSL *s); int dtls1_is_timer_expired(SSL *s); void dtls1_double_timeout(SSL *s); int dtls1_send_newsession_ticket(SSL *s); -unsigned int dtls1_min_mtu(void); +unsigned int dtls1_min_mtu(SSL *s); +unsigned int dtls1_link_min_mtu(void); +void dtls1_hm_fragment_free(hm_fragment *frag); /* some client-only functions */ int ssl3_client_hello(SSL *s); @@ -1014,7 +1016,6 @@ int ssl3_get_key_exchange(SSL *s); int ssl3_get_server_certificate(SSL *s); int ssl3_check_cert_and_algorithm(SSL *s); #ifndef OPENSSL_NO_TLSEXT -int ssl3_check_finished(SSL *s); # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s); # endif diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index ad40fadd02cc..235f92d824cd 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -335,7 +335,21 @@ int ssl_get_new_session(SSL *s, int session) return(0); } #ifndef OPENSSL_NO_TLSEXT - /* If RFC4507 ticket use empty session ID */ + /* + * If RFC5077 ticket, use empty session ID (as server). + * Note that: + * (a) ssl_get_prev_session() does lookahead into the + * ClientHello extensions to find the session ticket. + * When ssl_get_prev_session() fails, s3_srvr.c calls + * ssl_get_new_session() in ssl3_get_client_hello(). + * At that point, it has not yet parsed the extensions, + * however, because of the lookahead, it already knows + * whether a ticket is expected or not. + * + * (b) s3_clnt.c calls ssl_get_new_session() before parsing + * ServerHello extensions, and before recording the session + * ID received from the server, so this block is a noop. + */ if (s->tlsext_ticket_expected) { ss->session_id_length = 0; diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 4f80be8ee4d8..08889569f4ef 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -345,7 +345,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD fprintf(stderr," -ssl3 - use SSLv3\n"); #endif #ifndef OPENSSL_NO_TLS1 @@ -368,7 +368,9 @@ static void sv_usage(void) " Use \"openssl ecparam -list_curves\" for all names\n" \ " (default is sect163r2).\n"); #endif - fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); + fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n" + " When this option is requested, the cipherlist\n" + " tests are run instead of handshake tests.\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -549,6 +551,7 @@ int main(int argc, char *argv[]) #ifdef OPENSSL_FIPS int fips_mode=0; #endif + int no_protocol = 0; verbose = 0; debug = 0; @@ -658,11 +661,26 @@ int main(int argc, char *argv[]) } #endif else if (strcmp(*argv,"-ssl2") == 0) - ssl2=1; + { +#ifdef OPENSSL_NO_SSL2 + no_protocol = 1; +#endif + ssl2 = 1; + } else if (strcmp(*argv,"-tls1") == 0) - tls1=1; + { +#ifdef OPENSSL_NO_TLS1 + no_protocol = 1; +#endif + tls1 = 1; + } else if (strcmp(*argv,"-ssl3") == 0) - ssl3=1; + { +#ifdef OPENSSL_NO_SSL3_METHOD + no_protocol = 1; +#endif + ssl3 = 1; + } else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; @@ -781,15 +799,41 @@ bad: goto end; } + /* + * test_cipherlist prevails over protocol switch: we test the cipherlist + * for all enabled protocols. + */ if (test_cipherlist == 1) { /* ensure that the cipher list are correctly sorted and exit */ + fprintf(stdout, "Testing cipherlist order only. Ignoring all " + "other options.\n"); if (do_test_cipherlist() == 0) EXIT(1); ret = 0; goto end; } + if (ssl2 + ssl3 + tls1 > 1) + { + fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should " + "be requested.\n"); + EXIT(1); + } + + /* + * Testing was requested for a compiled-out protocol (e.g. SSLv2). + * Ideally, we would error out, but the generic test wrapper can't know + * when to expect failure. So we do nothing and return success. + */ + if (no_protocol) + { + fprintf(stderr, "Testing was requested for a disabled protocol. " + "Skipping tests.\n"); + ret = 0; + goto end; + } + if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " @@ -868,30 +912,25 @@ bad: } #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) +/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available. + * (Otherwise we exit early.) + * However the compiler doesn't know this, so we ifdef. */ +#ifndef OPENSSL_NO_SSL2 if (ssl2) meth=SSLv2_method(); - else - if (tls1) - meth=TLSv1_method(); else +#endif +#ifndef OPENSSL_NO_SSL3 if (ssl3) meth=SSLv3_method(); else - meth=SSLv23_method(); -#else -#ifdef OPENSSL_NO_SSL2 +#endif +#ifndef OPENSSL_NO_TLS1 if (tls1) meth=TLSv1_method(); else - if (ssl3) - meth=SSLv3_method(); - else - meth=SSLv23_method(); -#else - meth=SSLv2_method(); -#endif #endif + meth=SSLv23_method(); c_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 1923cf3e9d12..1308c0344fea 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -303,15 +303,15 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, s->session->master_key,s->session->master_key_length, km,tmp,num); #ifdef KSSL_DEBUG - printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", + fprintf(stderr,"tls1_generate_key_block() ==> %d byte master_key =\n\t", s->session->master_key_length); { int i; for (i=0; i < s->session->master_key_length; i++) { - printf("%02X", s->session->master_key[i]); + fprintf(stderr,"%02X", s->session->master_key[i]); } - printf("\n"); } + fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ return ret; } @@ -349,19 +349,19 @@ int tls1_change_cipher_state(SSL *s, int which) #endif #ifdef KSSL_DEBUG - printf("tls1_change_cipher_state(which= %d) w/\n", which); - printf("\talg= %ld/%ld, comp= %p\n", + fprintf(stderr,"tls1_change_cipher_state(which= %d) w/\n", which); + fprintf(stderr,"\talg= %ld/%ld, comp= %p\n", s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, comp); - printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); - printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", + fprintf(stderr,"\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); + fprintf(stderr,"\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", c->nid,c->block_size,c->key_len,c->iv_len); - printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); + fprintf(stderr,"\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); { int i; for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); + fprintf(stderr,"%02x", s->s3->tmp.key_block[i]); fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -540,11 +540,11 @@ printf("which = %04X\nmac key=",which); #ifdef KSSL_DEBUG { int i; - printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); - printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]); - printf("\n"); - printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]); - printf("\n"); + fprintf(stderr,"EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); + fprintf(stderr,"\tkey= "); for (i=0; ikey_len; i++) fprintf(stderr,"%02x", key[i]); + fprintf(stderr,"\n"); + fprintf(stderr,"\t iv= "); for (i=0; iiv_len; i++) fprintf(stderr,"%02x", iv[i]); + fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -591,7 +591,7 @@ int tls1_setup_key_block(SSL *s) int ret=0; #ifdef KSSL_DEBUG - printf ("tls1_setup_key_block()\n"); + fprintf(stderr,"tls1_setup_key_block()\n"); #endif /* KSSL_DEBUG */ if (s->s3->tmp.key_block_length != 0) @@ -740,7 +740,7 @@ int tls1_enc(SSL *s, int send) } #ifdef KSSL_DEBUG - printf("tls1_enc(%d)\n", send); + fprintf(stderr,"tls1_enc(%d)\n", send); #endif /* KSSL_DEBUG */ if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) @@ -812,18 +812,18 @@ int tls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { unsigned long ui; - printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", + fprintf(stderr,"EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + fprintf(stderr,"\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n", ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, DES_SCHEDULE_SZ, ds->cipher->iv_len); - printf("\t\tIV: "); - for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); - printf("\n"); - printf("\trec->input="); - for (ui=0; uiinput[ui]); - printf("\n"); + fprintf(stderr,"\t\tIV: "); + for (i=0; icipher->iv_len; i++) fprintf(stderr,"%02X", ds->iv[i]); + fprintf(stderr,"\n"); + fprintf(stderr,"\trec->input="); + for (ui=0; uiinput[ui]); + fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -848,9 +848,9 @@ int tls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { unsigned long i; - printf("\trec->data="); + fprintf(stderr,"\trec->data="); for (i=0; idata[i]); printf("\n"); + fprintf(stderr," %02x", rec->data[i]); fprintf(stderr,"\n"); } #endif /* KSSL_DEBUG */ @@ -1048,10 +1048,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); #ifdef TLS_DEBUG -printf("seq="); -{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } -printf("rec="); -{unsigned int z; for (z=0; zlength; z++) printf("%02X ",rec->data[z]); printf("\n"); } +fprintf(stderr,"seq="); +{int z; for (z=0; z<8; z++) fprintf(stderr,"%02X ",seq[z]); fprintf(stderr,"\n"); } +fprintf(stderr,"rec="); +{unsigned int z; for (z=0; zlength; z++) fprintf(stderr,"%02X ",rec->data[z]); fprintf(stderr,"\n"); } #endif if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) @@ -1064,7 +1064,7 @@ printf("rec="); } #ifdef TLS_DEBUG -{unsigned int z; for (z=0; z sizeof(nid_list)/sizeof(nid_list[0]))) return 0; @@ -242,7 +254,7 @@ int tls1_ec_curve_id2nid(int curve_id) int tls1_ec_nid2curve_id(int nid) { - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ + /* ECC curves from RFC 4492 */ switch (nid) { case NID_sect163k1: /* sect163k1 (1) */ @@ -488,11 +500,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c s2n(TLSEXT_TYPE_elliptic_curves,ret); s2n(s->tlsext_ellipticcurvelist_length + 2, ret); - /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for - * elliptic_curve_list, but the examples use two bytes. - * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html - * resolves this to two bytes. - */ s2n(s->tlsext_ellipticcurvelist_length, ret); memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); ret+=s->tlsext_ellipticcurvelist_length; @@ -998,6 +1005,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in ssl_check_for_safari(s, data, d, n); #endif /* !OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_SRP + if (s->srp_ctx.login != NULL) + { + OPENSSL_free(s->srp_ctx.login); + s->srp_ctx.login = NULL; + } +#endif + + s->srtp_profile = NULL; + if (data >= (d+n-2)) goto ri_check; n2s(data,len); @@ -1192,7 +1209,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || - ellipticcurvelist_length < 1) + ellipticcurvelist_length < 1 || + /* Each NamedCurve is 2 bytes. */ + ellipticcurvelist_length & 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1506,6 +1525,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in #ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; #endif + s->tlsext_ticket_expected = 0; #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | @@ -1800,7 +1820,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s) s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ + /* we support all named elliptic curves in RFC 4492 */ if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) -- cgit v1.2.3